Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mreu-vp8d-gfed
Vulnerability ID VCID-mreu-vp8d-gfed
Aliases CVE-2025-62249
GHSA-rx48-gqc2-4w47
Summary Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00025 https://api.first.org/data/v1/epss?cve=CVE-2025-62249
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-rx48-gqc2-4w47
cvssv4 6.9 https://github.com/liferay/liferay-portal
generic_textual MODERATE https://github.com/liferay/liferay-portal
cvssv4 6.9 https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5
generic_textual MODERATE https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5
cvssv4 6.9 https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791
generic_textual MODERATE https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791
cvssv4 6.9 https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8
generic_textual MODERATE https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8
cvssv4 6.9 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
generic_textual MODERATE https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
ssvc Track https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2025-62249
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-62249
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-62249
https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5
https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791
https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
https://nvd.nist.gov/vuln/detail/CVE-2025-62249
GHSA-rx48-gqc2-4w47 https://github.com/advisories/GHSA-rx48-gqc2-4w47
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/liferay/liferay-portal
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/liferay/liferay-portal/commit/66c51e026f7c9eee8f82137a586ceea5bdc081a5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/liferay/liferay-portal/commit/8309d01f151124e1af392b67baf9711e46488791
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/liferay/liferay-portal/commit/f041e7058929618bb101b8e4bae5a8a226e6f8b8
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-21T18:30:38Z/ Found at https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-62249
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07754
EPSS Score 0.00025
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:43.524316+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-rx48-gqc2-4w47/GHSA-rx48-gqc2-4w47.json 38.6.0